The world is in shock after the most damaging ransomware attack in history, and many people ask how this is possible and what’s next.

How the attack was possible and who is affected

At TEMASOFT we’ve investigated the attack, and the results show the ransomware itself is not very different from typical ransomware if we look at the way it attacks files, but the surprise element comes from the way it spreads. The malware, called Wanna Cry or WannaCryptor, exploits an SMB vulnerability that affects several versions of the Microsoft Windows operating systems and can infiltrate the machines which exhibit this vulnerability.

While the initial vector of attack is still subject to research, some experts believe the primary infection is caused by phishing emails. Once the virus infects a computer, it can spread automatically in the company network and doesn’t need users to perform further actions like accessing web links or opening emails. It is worth to mention that Microsoft issued a patch in March to fix this problem, but the vast number of victims demonstrates that patching is still not a priority for many.

But the lack of patching might not be the only issue here. Many victims of this attack were institutions and big business. They all have active security measures in place. Why did they fail to catch the ransomware?

One explanation is the fact that many antivirus products still use signatures as their main approach to detect viruses, which is useless against zero-day variants. Another reason is that other techniques like sandboxing or heuristic engines that are successful against typical threats fail very often against ransomware. We looked at Google’s VirusTotal, and more than a day after the outbreak, only 70% of antivirus products found the Wanna Cry executable as malicious, while the others didn’t report it.

Unfortunately, this is not the first incident when AVs and other conventional security products are caught off guard by ransomware, and no matter what some security vendors say, the facts show that the common security measures are not capable of fighting ransomware efficiently.

How to protect computers from ransomware like Wanna Cry

More specialized tools are needed to stop ransomware with a greater chance of success. A good option is to use anti-ransomware products that rely on behavioral analysis.

Keeping the operating system up to date is also a must. Users and administrators must turn on Windows auto-update or apply the latest patches through specialized applications.

Apart from patching and using dedicated anti-ransomware products, users must pay special attention to emails containing links or suspect attachments. Examples of such attachments are documents referring to bills, reservations, delivery and so on. Unless the sender is well-known, it’s better to avoid opening documents attached to emails. If an email seems legit and the user opens the attached documents, it is important not to enable document macros or other similar features.

The last resort that can save users when facing a ransomware attack is a functional and secure backup system.

What to expect next

The current ransomware attack is not over yet. Wanna Cry will claim more victims in the coming days, and it is important to take the appropriate measures to contain the outbreak. However, in the future, we can expect more similar attacks to occur, and people and businesses should start to act more firmly to defend themselves against ransomware; otherwise, they can only hope they won’t be the next victim.

How we can help

First of all, we highly recommend applying the Microsoft patch which eliminates the SMB vulnerability mentioned earlier. Click here to download the patch from the official location.

Secondly, as a permanent solution, we can help keeping ransomware at bay through TEMASOFT Ranstop, our dedicated anti-ransomware software which protects computers from common and zero-day ransomware. It uses a combination of behavioral detection engine and real-time backup which secures files against malware threats.

In particular, we tested TEMASOFT Ranstop against WannaCryptor, and it caught the malware in less than 5 seconds; and no user document was lost.

We have updated our policies to incorporate the changes specified in Regulation (EU) 2016/679 on the protection of individuals concerning the processing of personal data and on the free movement of such data. Please read how Temasoft processes personal data on our Privacy Policy page. By continuing to browse our site, confirm your acceptance of the use of cookies. Your data can be deleted at any time by following the instructions in the Cookie Policy or Privacy Policy sections.